We’ve always argued that the most secure password is one you don’t even know and is basically incomprehensible. Security expert Thomas Baekdal argues that these incomprehensible passwords — while secure — are not as secure as a more memorable and simple phrase. In other words, this is fun is a more secure password than s$yK0d*p!r3l09ls. Here’s why.Baekdal outlines that using the three most common methods of cracking passwords — brute-force, common word and dictionary attacks — are really only useful if a password can be cracked in a reasonable amount of time. If a password can be cracked in a few minutes, it’s not a terribly secure password. If it can be cracked in about a month, that’s still a while but not entirely secure. A year is where you can start feeling secure, but the best passwords take a lifetime to crack. Baekdal states that a gibberish password, like J4fS, will take about 219 years to crack using a brute-force attack (the fastest method). That’s secure for life, but it’s not terribly easy to remember. On the other hand, a phrase like “this is fun” would take about 2537 years to crack using a brute-force attack. It’s not only more secure, but also easier to remember.
This happens because of the spaces, which are special characters (you could use – or ! instead of spaces, if you wanted to). Uncommon words also increase the complexity, so if you want your password to outlive the human race you could use something like fluffy is puffy.
Baekdal’s article spurred a lot of debate and plenty of questions, many of which he’s answered. While you are certainly more secure if nobody — not even you — know your passwords, you still need a master password that you have to remember. If you want a password that’s remarkably easy to remember, this is a great way to get one.
The Usibility of Passwords [Baekdal]